"If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk."

Since this 'hook' is only active in an infected Windows install, changing your MBR outside of Windows ought to do the trick. ie. Boot to a Windows XP install disc and "fixmbr" or "bootrec /fixmbr" for Vista/7.

Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess.

Rick said:
Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess.

Click to expand...

I would expect using a BartPE or LiveCD and then virus scanning the inactive hard drive would point out the infected driver and result in a clean system. Unless there's more to the infection than the article describes.

Rick said:
Since this 'hook' is only active in an infected Windows install, changing your MBR outside of Windows ought to do the trick. ie. Boot to a Windows XP install disc and "fixmbr" or "bootrec /fixmbr" for Vista/7.

Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess.

Click to expand...

I'd figured there would have to be a way to fix the MBR from outside of windows. There's no way your computer could completely lock you out. I guess if your last clean system restore point would net you loss of a lot of info, a method like this would be more convenient.